Oracle E-Business Suite Zero-Day Exploitation and Emergency Patching
Oracle E-Business Suite (EBS) has been the target of a sophisticated cyberattack campaign exploiting multiple zero-day vulnerabilities, resulting in significant data breaches and prompting an urgent security response. According to reports, dozens of organizations have been impacted by the exploitation of a critical flaw in Oracle EBS, tracked as CVE-2025-61882, which has been actively used by threat actors since at least August 2025. The attackers leveraged a chain of vulnerabilities, including CVE-2025-61882 and a newly disclosed CVE-2025-61884, to gain unauthorized access to sensitive data and deploy various malware payloads such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. The Clop ransomware group has been linked to these attacks, using the vulnerabilities to breach networks, exfiltrate data, and extort victims. Oracle responded by releasing an emergency patch for CVE-2025-61884, which affects EBS versions 12.2.3 to 12.2.14, warning that the flaw could be exploited remotely by unauthenticated attackers to steal sensitive information. Security researchers from CrowdStrike observed that Clop had been exploiting CVE-2025-61882 as a zero-day since early August, and other threat groups may have joined the campaign. The vulnerabilities allow attackers to achieve remote code execution and information disclosure, posing a severe risk to organizations running affected EBS versions. Oracle strongly advised customers to apply the emergency updates or mitigations immediately to prevent further exploitation. The attacks have resulted in the exfiltration of large volumes of sensitive data, including financial documents, employee IDs, contracts, and internal reports, with some organizations facing significant operational disruptions and potential financial losses. The campaign demonstrates the increasing sophistication of ransomware and extortion groups, who are now chaining multiple vulnerabilities and targeting widely used enterprise platforms. Security experts have emphasized the importance of timely patching, robust monitoring, and incident response planning to mitigate the risks associated with zero-day exploitation. The incident also highlights the need for organizations to review their exposure to third-party software vulnerabilities and strengthen their supply chain security posture. Oracle's rapid release of emergency patches underscores the critical nature of the threat and the ongoing arms race between software vendors and cybercriminals. The exploitation of Oracle EBS zero-days is part of a broader trend of attackers targeting business-critical applications to maximize impact and leverage for extortion. Organizations are urged to remain vigilant, monitor for signs of compromise, and ensure that all security updates are applied without delay. The incident serves as a stark reminder of the persistent threat posed by advanced cybercriminal groups and the necessity of proactive cybersecurity measures in the face of evolving attack techniques.
Sources
Related Stories
Oracle E-Business Suite Zero-Day Exploited for Remote Code Execution and Data Theft
Oracle E-Business Suite (EBS) was found to contain a critical zero-day vulnerability, tracked as CVE-2025-61884 and CVE-2025-61882, which allowed unauthenticated remote code execution and was actively exploited by threat actors, including the Clop ransomware group. The vulnerability, present in EBS versions 12.2.3 through 12.2.14, enabled attackers to access sensitive resources without authentication by exploiting a pre-authentication Server-Side Request Forgery (SSRF) flaw. Oracle released an out-of-band security update to address the issue, but did so without publicly acknowledging that the flaw was being actively exploited or that a proof-of-concept exploit had been leaked by the ShinyHunters extortion group. Security researchers and customers confirmed that the patch addressed the SSRF vulnerability used in the attacks. The exploit chain was complex, involving an unauthenticated HTTP POST to a specific servlet, manipulation of return_url parameters to trigger SSRF, CRLF/header injection, HTTP connection reuse, and ultimately the delivery of a malicious XSL stylesheet. This XSLT payload, containing embedded Java code, was processed by the server, leading to arbitrary code execution and the potential for attackers to spawn reverse shells. The Clop ransomware group sent extortion emails to Oracle EBS customers, claiming to have stolen sensitive data by exploiting this flaw, and confirmed their involvement in the campaign. The attack campaign was detected by Mandiant and Google, who observed that multiple threat actors were leveraging the vulnerability for data theft and extortion. The exploit chain demonstrated the risk of chaining multiple weaknesses in enterprise software to achieve full remote code execution. Security vendors, such as Imperva, responded by confirming protection for their customers against this exploit. The incident highlighted Oracle's lack of transparency regarding active exploitation and the public availability of exploit code. The technical details of the exploit, including SSRF, CRLF injection, and XSLT-based code execution, underscored the sophistication of the attack. The vulnerability's exploitation in the wild emphasized the importance of rapid patching and monitoring for signs of compromise in Oracle EBS environments. The campaign also illustrated the ongoing threat posed by ransomware and extortion groups targeting critical business applications. Organizations using Oracle EBS were urged to apply the security update immediately and review their systems for indicators of compromise. The incident raised concerns about the security of widely used enterprise resource planning (ERP) platforms and the need for proactive vulnerability management.
5 months agoOracle E-Business Suite Zero-Day Exploited by Cl0p in Mass Extortion Campaign
Cl0p ransomware operators launched a widespread extortion campaign targeting Oracle E-Business Suite (EBS) customers by exploiting a previously unknown zero-day vulnerability, later assigned CVE-2024-61882. The campaign began as early as July or August, with Google's threat intelligence team tracking the exploitation weeks before Oracle became aware of the issue. Attackers leveraged the vulnerability to gain unauthorized access to EBS environments, deploying sophisticated multi-stage Java-based implants such as GOLDVEIN, SAGEGIFT, and SAGEWAVE. These implants operated entirely in memory, making detection difficult, and communicated with command-and-control servers using traffic disguised as legitimate TLS handshakes. The payloads were stored directly in the EBS database, and attackers used compromised third-party email services to facilitate their operations. Once data was exfiltrated, Cl0p initiated mass extortion by sending emails to executives, threatening to release stolen information unless a ransom was paid. The attack pattern mirrored previous Cl0p campaigns, notably the MOVEit mass exploitation, indicating a strategic focus on widely used enterprise applications. Oracle responded by releasing emergency patches on October 4th, but by that time, many organizations had already suffered breaches and data theft. The campaign highlighted the risks associated with delayed vulnerability disclosure and patching in critical business applications. Security researchers emphasized the technical sophistication of the implants, which were designed to evade traditional endpoint detection and response (EDR) solutions. The incident underscored the importance of proactive threat intelligence and rapid patch management for organizations relying on Oracle EBS. Industry observers noted that the campaign's scale and impact were significant, with numerous enterprises affected globally. The use of in-memory implants and stealthy C2 communications represented an evolution in Cl0p's tactics, making incident response and forensic analysis more challenging. The attack also raised concerns about the security of third-party integrations and the broader supply chain within enterprise environments. Oracle's emergency response included not only patches but also guidance for detecting signs of compromise and mitigating further risk. The event served as a stark reminder of the persistent threat posed by ransomware groups targeting high-value enterprise software platforms. Organizations were urged to review their security posture, monitor for unusual activity in EBS environments, and apply patches without delay. The campaign's exposure prompted renewed calls for improved collaboration between software vendors, threat intelligence teams, and end users to reduce the window of opportunity for attackers.
5 months agoCritical Remote Code Execution Vulnerability in Oracle E-Business Suite Exploited by Clop Ransomware
Oracle E-Business Suite (EBS) was found to contain a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-61882, which has been actively exploited in the wild. The flaw resides in the Oracle Concurrent Processing component, specifically within the BI Publisher Integration, and carries a CVSS base score of 9.8 due to its unauthenticated and easily exploitable nature. Attackers can leverage this vulnerability to execute arbitrary code remotely without requiring valid credentials, posing a severe risk to organizations running affected EBS versions. Oracle confirmed that versions 12.2.3 through 12.2.14 are impacted by this vulnerability. The company released an emergency security update to address the issue, but customers must first apply the October 2023 Critical Patch Update before deploying the new fix. The vulnerability was exploited by the Clop ransomware group in a series of data theft attacks in August 2025, resulting in significant data exfiltration from multiple victims. Mandiant's CTO, Charles Carmakal, confirmed that Clop leveraged both this zero-day and other previously patched vulnerabilities in their campaign. Oracle's advisory included indicators of compromise that matched exploit details shared by threat actors on Telegram, highlighting the public availability of exploit information. The exploitation of this flaw underscores the importance of timely patch management, especially for business-critical applications like Oracle EBS. Oracle has urged all customers to prioritize the application of the latest patches to mitigate the risk of further exploitation. The incident demonstrates the increasing trend of ransomware groups targeting enterprise software vulnerabilities for large-scale data theft. Security researchers have emphasized the need for organizations to monitor for signs of compromise and to review their EBS deployments for unauthorized activity. The rapid release of a security alert and patch by Oracle reflects the urgency and severity of the threat posed by CVE-2025-61882. Organizations are advised to follow Oracle's remediation guidance closely and to remain vigilant for related threat activity. The incident has raised concerns about the security posture of widely used ERP platforms and the potential for future exploitation of similar vulnerabilities. The Clop attacks serve as a reminder that threat actors are adept at chaining multiple vulnerabilities to maximize impact. This event highlights the criticality of maintaining up-to-date security controls and monitoring for exploitation attempts targeting high-value enterprise systems.
5 months ago